Description
BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named. Affects BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected products
- ISC / BIND 99.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1 – 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, 9.12.0a1 to 9.12.0rc1
References
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:0102
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:0487
- VENDOR_ADVISORYhttps://www.debian.org/security/2018/dsa-4089
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:0488
- VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:0101
- MISChttp://www.securitytracker.com/id/1040195
- MISChttps://kb.isc.org/docs/aa-01542
- MISChttp://www.securityfocus.com/bid/102716
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2018/01/msg00029.html
- MISChttps://security.netapp.com/advisory/ntap-20180117-0003/
- MISChttps://supportportal.juniper.net/s/article/2018-07-Security-Bulletin-SRX-Series-Vulnerabilities-in-ISC-BIND-named